[MAEC] MAEC 5.0 DRAFT Release

[MAEC] MAEC 5.0 DRAFT Release

All,

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications,
and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment
period is open from now until COB on September 29th, 2017.

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications, and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment period is open from now until COB on September 29th, 2017.

Re: [MAEC] MAEC 5.0 DRAFT Release

Hi Cheolho,

Thanks for the feedback.

> (1) How to contain MAEC 5.0 documents in the context of STIX 2.0.

Currently, there is no direct relationship between MAEC 5.0 and STIX 2.0, and therefore no standard way to natively embed MAEC 5.0 documents in STIX 2.0. You could use a custom property for this purpose (e.g., by including a property called
“x_maec_package” on the Malware SDO), but it would not be official.

> (2) How to use "indicator" of STIX against MAEC 5.0 documents.

Related to your first question, there’s no standard way to do this today. What you could do is extract the STIX 2.0 Observable Objects from a MAEC 5.0 Package (included in the “observable_objects” property and which may be used by MAEC
Malware Actions) and then create patterns from these Objects.

> So, MAEC 5.0 is just a reference for a detailed analysis result.. is this ok?

Our goal with MAEC 5.0 is to have a comprehensive language that various types of malware analysis tools can natively output; this output can then be used for further analytics, correlation, etc. I do agree that we should think about the
STIX 2.0 relationship, one potential avenue I can see here is to create a script that can take a MAEC 5.0 Package and then create some form of STIX 2.0 from it.

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications,
and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment
period is open from now until COB on September 29th, 2017.